P
US11018874B2ActiveUtilityPatentIndex 68

Digital signature verification for asynchronous responses

Assignee: AMAZON TECH INCPriority: Dec 13, 2016Filed: Jul 29, 2019Granted: May 25, 2021
Est. expiryDec 13, 2036(~10.5 yrs left)· nominal 20-yr term from priority
Inventors:DASARAKOTHAPALLI ARJUNAKERS MORGANBLUNT DAVID ALANMCADAMS DARIN KEITH
H04L 9/0894H04L 9/30H04L 9/3247H04L 9/3268H04L 9/0891H04L 9/3263
68
PatentIndex Score
3
Cited by
124
References
20
Claims

Abstract

A client obtains, in response to a request to a server, a response that includes data for fulfillment of the request, a digital signature that can be verified using a digital certificate, and location information that specifies a location where the digital certificate can be obtained. The client uses the location information to access the location and obtains the digital certificate. Using the digital certificate, the client evaluates the digital signature provided in the response to determine whether the digital signature is valid. If the digital signature is valid, the client accepts the data included in the response for fulfillment of the request.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method, comprising:
 providing, to a server, a request; 
 obtaining, in response to the request, a token encoding:
 response data for the request; 
 a digital signature verifiable using a digital certificate; and 
 location information that indicates a location from which the digital certificate is obtainable; 
 
 decoding the token to obtain the response data, the digital signature, and the location information; 
 evaluating the response data to determine that the token has been activated for use; and 
 as a result of determining that the token has been activated:
 utilizing the location information to obtain, from the location, the digital certificate; 
 evaluating the digital certificate to determine that the digital certificate is valid; 
 utilizing the digital certificate to verify that the digital signature obtained in response to the request is valid; and 
 as a result of the digital certificate and the digital signature being valid, accepting the response data obtained in response to the request. 
 
 
     
     
       2. The computer-implemented method of  claim 1 , wherein the response data, digital signature, and location information are encoded in a JavaScript Object Notation Web Signature token. 
     
     
       3. The computer-implemented method of  claim 1 , wherein evaluating the digital certificate to determine that the digital certificate is valid includes determining that a subject of the digital certificate specifies an identifier corresponding to the server. 
     
     
       4. The computer-implemented method of  claim 1 , wherein evaluating the digital certificate to determine that the digital certificate is valid includes determining that the digital certificate was issued by a certificate authority trusted by a client. 
     
     
       5. The computer-implemented method of  claim 1 , wherein evaluating the digital certificate to determine that the digital certificate is valid includes determining that a subject of the digital certificate specifies an identifier corresponding to an entity associated with the server that generated the digital signature on behalf of the server. 
     
     
       6. The computer-implemented method of  claim 1 , wherein utilizing the digital certificate to verify that the digital signature obtained in response to the request is valid comprises:
 obtaining, from the digital certificate, a public cryptographic key corresponding to a cryptographic key pair; 
 utilizing the public cryptographic key to determine that the digital signature was generated using a private cryptographic key of the cryptographic key pair; and 
 as a result of determining that the digital signature was generated using the private cryptographic key, validating the digital signature. 
 
     
     
       7. A system, comprising at least one computing device that implements one or more services, wherein the one or more services:
 obtain, in response to transmission of a request to a server, a response to the request, wherein the response comprises a token encoding response data, a digital signature verifiable using a digital certification, and location information that indicates a location from which the digital certificate is obtainable; 
 decode the token to obtain the response data, the digital signature, and the location information; 
 evaluate the response data to determine that the token has been activated for use; and 
 as a result of determining that the token has been activated:
 obtain, using the location information, the digital certificate from the location; 
 evaluate the digital certificate to determine whether the digital certificate is valid; 
 if the digital certificate is valid, use the digital certificate to determine whether the digital signature obtained in response to the request is valid; and 
 if the digital signature obtained in response to the request is valid, accept the response data obtained in response to the request. 
 
 
     
     
       8. The system of  claim 7 , wherein evaluating the digital certificate to determine whether the digital certificate is valid further comprises determining whether the digital certificate is expired such that if the digital certificate is expired, the response from the server is rejected. 
     
     
       9. The system of  claim 7 , wherein evaluating the digital certificate to determine whether the digital certificate is valid further comprises evaluating a subject of the digital certificate to determine whether the subject specified an identifier corresponding to an entity associated with the server that generated the digital signature on behalf of the server. 
     
     
       10. The system of  claim 7 , wherein the response is encoded in a JavaScript Object Notation Web Signature token. 
     
     
       11. The system of  claim 7 , wherein the location information is a Uniform Resource Identifier corresponding to a datastore in which the digital certificate is stored. 
     
     
       12. The system of  claim 7 , wherein using the digital certificate to determine whether the digital signature obtained in response to the request is valid further comprises:
 obtaining, from the digital certificate, a public cryptographic key corresponding to a cryptographic key pair; and 
 using the public cryptographic key to determine whether the digital signature was generated using a private cryptographic key of the cryptographic key pair such that if the digital signature was generated using the private cryptographic key, the digital signature is valid. 
 
     
     
       13. The system of  claim 7 , wherein:
 the request specifies an algorithm to be utilized by the server to generate the digital signature; and 
 the one or more services further evaluate the digital signature to determine whether the digital signature was generated using the algorithm such that if the digital signature is generated using an alternative to the algorithm, the response is rejected. 
 
     
     
       14. A non-transitory computer-readable storage medium storing thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
 provide, to a server, a request for data; 
 obtain, in response to the request, a response comprising a token encoding the data, a digital signature verifiable using a digital certificate, and location information corresponding to a location from which the digital certificate is obtainable; 
 decode the token to obtain the response data, the digital signature, and the location information; 
 evaluate the response data to determine that the token has been activated for use; and 
 as a result of determining that the token has been activated:
 use the location information to access the location to obtain the digital certificate; 
 as a result of the digital certificate being valid, use the digital certificate to verify that the digital signature is valid; and 
 as a result of the digital signature being valid, accept the response. 
 
 
     
     
       15. The non-transitory computer-readable storage medium of  claim 14 , wherein the response is encoded in a in a JavaScript Object Notation Web Signature token. 
     
     
       16. The non-transitory computer-readable storage medium of  claim 14 , wherein the executable instructions further cause the computer system to:
 evaluate a subject field of the digital certificate to determine that the digital certificate specifies an identifier corresponding to the server; and 
 as a result of the subject field of the digital certificate specifying the identifier, determine that the digital certificate is valid. 
 
     
     
       17. The non-transitory computer-readable storage medium of  claim 14 , wherein the executable instructions further cause the computer system to:
 evaluate a subject field of the digital certificate to determine that the digital certificate specifies an identifier corresponding to an entity associated with the server and generated the digital signature on behalf of the server; and 
 as a result of the subject field of the digital certificate specifying the identifier, determine that the digital certificate is valid. 
 
     
     
       18. The non-transitory computer-readable storage medium of  claim 14 , wherein the executable instructions further cause the computer system to:
 at a time after obtaining the response, determine that the digital certificate has become invalid; 
 obtain second location information corresponding to a second location from which a second digital certificate usable to verify the digital signature is obtainable; and 
 use the second location information to access the second location to obtain the second digital certificate. 
 
     
     
       19. The non-transitory computer-readable storage medium of  claim 14 , wherein the location information comprises a Uniform Resource Identifier usable to request the digital certificate. 
     
     
       20. The non-transitory computer-readable storage medium of  claim 14 , wherein the instructions further cause the computer system to:
 obtain, from a certificate authority that issued the digital certificate, a certificate revocation list; 
 evaluate the certificate revocation list to determine whether the digital certificate has been revoked; and 
 determine, as a result of the digital certificate being absent from the certificate revocation list, that the digital certificate is valid.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.